Jeffrey Burt reports:
The ever-widening series of supply chain attacks on Salesforce instances linked to Salesloft’ Drift app has claimed a number of new victims in recent days, including Cloudflare, Palto Alto Networks, and Zscaler.
Cybersecurity firms SpyCloud and PagerDuty also said they were hit by the UNC6395 threat group that exploited a vulnerability in Salesloft Drift OAuth integration with Salesforce to steal sensitive information from reportedly hundreds of organizations.
According to the Google Threat Intelligence Group (GTIC), UNC6395 targeted Salesforce customers’ instances from August 8 through at least August 18 via compromised OAuth tokens associated with the Salesloft Drift app, which is used by sales and marketing groups to automate sales workflows.
Salesloft bought Drift early last year.
In a blog post this week, security executives with Cloudflare said bad actors accessed the company’s Salesforce instance that it uses for customer support and case management.
Read more at Security Boulevard.
In unrelated news, members of Scattered Spider and ShinyHunters reported that a user known as “UNC6395” on Telegram (presumably named for the Google Threat Intelligence Group’s tracker for the Salesloft Drift campaign) was arrested today. There is no report suggesting that the arrest was related to any hacking activities.
Related Reading: Salesloft Drift Breach: Everything You Need to Know (SOCRadar)